Increase performance and reduce system load by automatically excluding Office 365 traffic from your organization’s split tunnel VPN

As the coronavirus continues to spread, more organizations are gearing up to prepare for staff to work from home. To help our clients, we prepared this 10-point cybersecurity and knowledge management checklist. Tip #3 in the checklist includes several action items related to preparing the organization’s VPN for large-scale remote work. One of our recommended action items is to deploy a split tunnel VPN for Office 365 and other high-bandwidth cloud services so they can be accessed directly, without sending this traffic through a VPN.
Since Microsoft already provides high-quality encryption for their Office 365 cloud services, tunneling this traffic across your organization’s VPN doesn’t appreciably increase the security of these services. Tunneling already-encrypted cloud based services isn’t a security requirement for most organizations, but excluding these services from a VPN can be tricky, as IP ranges of cloud services always change as providers upgrade and expand their environments.
Fortunately for Office 365 users, Microsoft makes an API endpoint available that contains an always up-to-date list of the IPv4 and IPv6 network addresses used to provide their cloud services.
To help our clients and other organizations that are preparing to transition to a work from home environment in response to the coronavirus outbreak, we developed a new tool, unTun365. This tool is designed to automatically configure an OpenVPN-based VPN environment to prevent Office 365 traffic from being sent across a VPN.
We’ve made the code for unTun365 open source and published it to GitHub in the hopes that other organizations can use it as part of their response to coronavirus.